'\" te
.\" Copyright (c) 2006 Sun Microsystems, Inc. All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH KADM5.ACL 5 "Oct 29, 2015"
.SH NAME
kadm5.acl \- Kerberos access control list (ACL) file
.SH SYNOPSIS
.LP
.nf
\fB/etc/krb5/kadm5.acl\fR
.fi

.SH DESCRIPTION
.sp
.LP
The \fBACL\fR file is used by the \fBkadmind\fR(8) command to determine which
principals are allowed to perform Kerberos administration actions. For
operations that affect principals, the \fBACL\fR file also controls which
principals can operate on which other principals. The location of the \fBACL\fR
file is determined by the \fBacl_file\fR configuration variable in the
\fBkdc.conf\fR(5) file. The default location is \fB/etc/krb5/kadm5.acl\fR.
.sp
.LP
For incremental propagation, see \fBkadmind\fR(8). The ACL file must contain
the \fBkiprop\fR service principal with propagation privileges in order for the
slave KDC to pull updates from the master's principal database. Refer to the
EXAMPLES section for this case.
.sp
.LP
The \fBACL\fR file can contain comment lines, null lines, or lines that contain
\fBACL\fR entries. Comment lines start with the pound sign (\fB#\fR) and
continue until the end of the line.
.sp
.LP
The order of entries is significant. The first matching entry specifies the
principal on which the control access applies, whether it is on just the
principal or on the principal when it operates on a target principal.
.sp
.LP
Lines containing \fBACL\fR entries must have the following format:
.sp
.in +2
.nf
\fIprincipal\fR \fIoperation-mask\fR [\fIoperation-target\fR]
.fi
.in -2
.sp

.sp
.ne 2
.na
\fB\fIprincipal\fR\fR
.ad
.RS 20n
Specifies the principal on which the \fIoperation-mask\fR applies. Can specify
either a partially or fully qualified Kerberos principal name. Each component
of the name can be substituted with a wildcard, using the asterisk ( \fB*\fR )
character.
.RE

.sp
.ne 2
.na
\fB\fIoperation-mask\fR\fR
.ad
.RS 20n
Specifies what operations can or cannot be performed by a principal matching a
particular entry. Specify \fIoperation-mask\fR as one or more \fIprivilege\fRs.
.sp
A \fIprivilege\fR is a string of one or more of the following characters:
\fBa\fR, \fBA\fR, \fBc\fR, \fBC\fR, \fBd\fR, \fBD\fR, \fBi\fR, \fBI\fR,
\fBl\fR, \fBL\fR, \fBm\fR, \fBM\fR, \fBp\fR, \fBP\fR, \fBu\fR, \fBU\fR,
\fBx\fR, or \fB*\fR. Generally, if the character is lowercase, the privilege is
allowed and if the character is uppercase, the operation is disallowed. The
\fBx\fR and \fB*\fR characters are exceptions to the uppercase convention.
.sp
The following \fIprivilege\fRs are supported:
.sp
.ne 2
.na
\fB\fBa\fR\fR
.ad
.RS 5n
Allows the addition of principals or policies in the database.
.RE

.sp
.ne 2
.na
\fB\fBA\fR\fR
.ad
.RS 5n
Disallows the addition of principals or policies in the database.
.RE

.sp
.ne 2
.na
\fB\fBc\fR\fR
.ad
.RS 5n
Allows the changing of passwords for principals in the database.
.RE

.sp
.ne 2
.na
\fB\fBC\fR\fR
.ad
.RS 5n
Disallows the changing of passwords for principals in the database.
.RE

.sp
.ne 2
.na
\fB\fBd\fR\fR
.ad
.RS 5n
Allows the deletion of principals or policies in the database.
.RE

.sp
.ne 2
.na
\fB\fBD\fR\fR
.ad
.RS 5n
Disallows the deletion of principals or policies in the database.
.RE

.sp
.ne 2
.na
\fB\fBi\fR\fR
.ad
.RS 5n
Allows inquiries to the database.
.RE

.sp
.ne 2
.na
\fB\fBI\fR\fR
.ad
.RS 5n
Disallows inquiries to the database.
.RE

.sp
.ne 2
.na
\fB\fBl\fR\fR
.ad
.RS 5n
Allows the listing of principals or policies in the database.
.RE

.sp
.ne 2
.na
\fB\fBL\fR\fR
.ad
.RS 5n
Disallows the listing of principals or policies in the database.
.RE

.sp
.ne 2
.na
\fB\fBm\fR\fR
.ad
.RS 5n
Allows the modification of principals or policies in the database.
.RE

.sp
.ne 2
.na
\fB\fBM\fR\fR
.ad
.RS 5n
Disallows the modification of principals or policies in the database.
.RE

.sp
.ne 2
.na
\fB\fBp\fR\fR
.ad
.RS 5n
Allow the propagation of the principal database.
.RE

.sp
.ne 2
.na
\fB\fBP\fR\fR
.ad
.RS 5n
Disallow the propagation of the principal database.
.RE

.sp
.ne 2
.na
\fB\fBu\fR\fR
.ad
.RS 5n
Allows the creation of one-component user principals whose password can be
validated with PAM.
.RE

.sp
.ne 2
.na
\fB\fBU\fR\fR
.ad
.RS 5n
Negates the \fBu\fR privilege.
.RE

.sp
.ne 2
.na
\fB\fBx\fR\fR
.ad
.RS 5n
Short for specifying privileges \fBa\fR, \fBd\fR,\fBm\fR,\fBc\fR,\fBi\fR, and
\fBl\fR. The same as \fB*\fR.
.RE

.sp
.ne 2
.na
\fB\fB*\fR\fR
.ad
.RS 5n
Short for specifying privileges \fBa\fR, \fBd\fR,\fBm\fR,\fBc\fR,\fBi\fR, and
\fBl\fR. The same as \fBx\fR.
.RE

.RE

.sp
.ne 2
.na
\fB\fIoperation-target\fR\fR
.ad
.RS 20n
Optional. When specified, the \fIprivileges\fR apply to the \fIprincipal\fR
when it operates on the \fIoperation-target\fR. For the \fIoperation-target\fR,
you can specify a partially or fully qualified Kerberos principal name. Each
component of the name can be substituted by a wildcard, using the asterisk (
\fB*\fR ) character.
.RE

.SH EXAMPLES
.LP
\fBExample 1 \fRSpecifying a Standard, Fully Qualified Name
.sp
.LP
The following ACL entry specifies a standard, fully qualified name:

.sp
.in +2
.nf
user/instance@realm adm
.fi
.in -2
.sp

.sp
.LP
The \fIoperation-mask\fR applies only to the \fBuser/instance@realm\fR
principal and specifies that the principal can add, delete, or modify
principals and policies, but it cannot change passwords.

.LP
\fBExample 2 \fRSpecifying a Standard Fully Qualified Name and Target
.sp
.LP
The following ACL entry specifies a standard, fully qualified name:

.sp
.in +2
.nf
user/instance@realm cim service/instance@realm
.fi
.in -2
.sp

.sp
.LP
The \fIoperation-mask\fR applies only to the \fBuser/instance@realm\fR
principal operating on the \fBservice/instance@realm\fR target, and specifies
that the principal can change the target's password, request information about
the target, and modify it.

.LP
\fBExample 3 \fRSpecifying a Name Using a Wildcard
.sp
.LP
The following ACL entry specifies a name using a wildcard:

.sp
.in +2
.nf
user/*@realm ac
.fi
.in -2
.sp

.sp
.LP
The \fIoperation-mask\fR applies to all principals in realm \fBrealm\fR whose
first component is \fBuser\fR and specifies that the principals can add
principals and change passwords.

.LP
\fBExample 4 \fRSpecifying a Name Using a Wildcard and a Target
.sp
.LP
The following ACL entry specifies a name using a wildcard and a target:

.sp
.in +2
.nf
user/*@realm i */instance@realm
.fi
.in -2
.sp

.sp
.LP
The \fIoperation-mask\fR applies to all principals in realm \fBrealm\fR whose
first component is \fBuser\fR and specifies that the principals can perform
inquiries on principals whose second component is \fBinstance\fR and realm is
\fBrealm\fR.

.LP
\fBExample 5 \fRSpecifying Incremental Propagation Privileges
.sp
.LP
The following ACL entry specifies propagation privileges for the \fBkiprop\fR
service principal:

.sp
.in +2
.nf
kiprop/slavehost@realm p
.fi
.in -2

.sp
.LP
The operation-mask applies to the \fBkiprop\fR service principal for the
specified slave host \fBslavehost\fR in realm \fBrealm\fR. This specifies that
the associated \fBkiprop\fR service principal can receive incremental principal
updates.

.SH FILES
.sp
.ne 2
.na
\fB\fB/etc/krb5/kdc.conf\fR\fR
.ad
.RS 22n
KDC configuration information.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(7) for descriptions of the following attributes:
.sp

.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE	ATTRIBUTE VALUE
_
Interface Stability	Evolving
.TE

.SH SEE ALSO
.sp
.LP
.BR kpasswd (1),
.BR kdc.conf (5),
.BR attributes (7),
.BR kerberos (7),
.BR pam_krb5_migrate (7),
.BR kadmin.local (8),
.BR kadmind (8),
.BR kdb5_util (8)
